From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
linux-fsdevel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
"Serge E. Hallyn" <serge@hallyn.com>,
Richard Weinberger <richard@nod.at>,
Andrey Vagin <avagin@openvz.org>, Jann Horn <jann@thejh.net>,
Willy Tarreau <w@1wt.eu>, Omar Sandoval <osandov@osandov.com>
Subject: Re: [PATCH review 4/4] vfs: Do not allow escaping from bind mounts.
Date: Fri, 10 Apr 2015 04:14:57 +0100 [thread overview]
Message-ID: <20150410031457.GD889@ZenIV.linux.org.uk> (raw)
In-Reply-To: <874moo1ysg.fsf@x220.int.ebiederm.org>
On Thu, Apr 09, 2015 at 09:51:11PM -0500, Eric W. Biederman wrote:
> And a process opened /tmp/c/c/x.
> d_path on that file descriptor before __d_move would say:
>
> /tmp/c/c/x
>
> after the __d_move d_path would say:
>
> /tmp/c/a/x
So what?
> Which is bizareely weird in this example, and could potentially be
> an expolitable information leak in the hands of someone who knew
> what they were doing.
>
> I am not clever enough to take that deleted directory and walk up the
> tree, so the damage may be limited to seeing the true path on the
> fileystem. But it just may be that I am dense today.
>
> Furthermore all of the relevant changes to the dentry that happen
> when exchange is true also happen when exchange is false, so I am very
> reluctant to believe that the non-exchange case is not exploitable by a
> sufficiently clever individual.
Exploited how? The same assistant might very well have done
echo "/tmp/c/a/x or whatever else I might want to pass to you" >/tmp/c/c/x
and pass whatever information they wanted _that_ way.
As it is, you've created one hell of a DoS - *anyone* can poison
any vfsmount covering a subtree if they have access to a containing subtree
somewhere and write permissions on a directory inside and directory outside
of the victim one.
next prev parent reply other threads:[~2015-04-10 3:15 UTC|newest]
Thread overview: 153+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-02 21:42 [PATCH review 0/9] Call for testing and review of mount detach fixes Eric W. Biederman
[not found] ` <871tncuaf6.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-02 21:52 ` [PATCH review 1/9] mnt: Improve the umount_tree flags Eric W. Biederman
2015-01-05 20:45 ` [PATCH review 0/11 Call for testing and review of mount detach fixes (take 2) Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 02/11] mnt: Don't propagate umounts in __detach_mounts Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 03/11] mnt: In umount_tree reuse mnt_list instead of mnt_hash Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 04/11] mnt: Add MNT_UMOUNT flag Eric W. Biederman
[not found] ` <87mw5xq7lt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-05 20:46 ` [PATCH review 01/11] mnt: Improve the umount_tree flags Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 05/11] mnt: Delay removal from the mount hash Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 06/11] mnt: Factor out __detach_mnt from detach_mnt Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 07/11] mnt: Simplify umount_tree Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 08/11] mnt: Remove redundant NULL tests in namespace_unlock Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 09/11] mnt: On an unmount propagate clearing of MNT_LOCKED Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 10/11] mnt: Don't propagate unmounts to locked mounts Eric W. Biederman
2015-01-05 20:46 ` [PATCH review 11/11] mnt: Honor MNT_LOCKED when detaching mounts Eric W. Biederman
2015-01-07 18:43 ` Al Viro
[not found] ` <20150107184334.GZ22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-07 19:28 ` Al Viro
[not found] ` <20150107192807.GA22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-07 19:53 ` Eric W. Biederman
2015-01-07 19:30 ` Eric W. Biederman
[not found] ` <87h9w2gzht.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-07 20:52 ` Al Viro
[not found] ` <20150107205239.GB22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-07 21:51 ` Eric W. Biederman
2015-01-08 0:22 ` Al Viro
2015-01-08 3:02 ` Al Viro
[not found] ` <20150108030229.GD22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-08 3:11 ` Al Viro
[not found] ` <20150108002227.GC22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-08 22:32 ` Al Viro
2015-01-09 20:31 ` Al Viro
2015-01-09 21:30 ` Eric W. Biederman
[not found] ` <87k30vwskd.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-09 22:17 ` Al Viro
[not found] ` <20150109221715.GN22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-09 22:25 ` Eric W. Biederman
[not found] ` <20150109203126.GI22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-10 5:32 ` Eric W. Biederman
[not found] ` <87h9vzryio.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-10 5:51 ` Al Viro
[not found] ` <20150110055148.GY22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-11 2:00 ` Al Viro
[not found] ` <20150111020030.GF22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-11 2:50 ` Al Viro
2015-01-16 18:29 ` Eric W. Biederman
2015-04-03 1:53 ` [PATCH review 0/19] Locked mount and loopback mount fixes Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 01/19] mnt: Use hlist_move_list in namespace_unlock Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 02/19] mnt: Improve the umount_tree flags Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 03/19] mnt: Don't propagate umounts in __detach_mounts Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 04/19] mnt: In umount_tree reuse mnt_list instead of mnt_hash Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 05/19] mnt: Add MNT_UMOUNT flag Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 06/19] mnt: Delay removal from the mount hash Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 07/19] mnt: On an unmount propagate clearing of MNT_LOCKED Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 08/19] mnt: Don't propagate unmounts to locked mounts Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 09/19] mnt: Fail collect_mounts when applied to unmounted mounts Eric W. Biederman
2015-04-03 8:55 ` Lukasz Pawelczyk
[not found] ` <1428051353.1924.2.camel-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-04-09 16:39 ` Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 10/19] mnt: Factor out unhash_mnt from detach_mnt and umount_tree Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 11/19] mnt: Factor umount_mnt from umount_tree Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 12/19] fs_pin: Allow for the possibility that m_list or s_list go unused Eric W. Biederman
[not found] ` <1428026183-14879-12-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-05-11 13:36 ` Konstantin Khlebnikov
2015-04-03 1:56 ` [PATCH review 13/19] mnt: Honor MNT_LOCKED when detaching mounts Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 14/19] mnt: Fix the error check in __detach_mounts Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 15/19] mnt: Update detach_mounts to leave mounts connected Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 16/19] mnt: Track which mounts use a dentry as root Eric W. Biederman
[not found] ` <1428026183-14879-16-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-04-03 5:54 ` Al Viro
[not found] ` <20150403055449.GE889-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-04-03 10:31 ` Eric W. Biederman
2015-04-07 20:22 ` Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 17/19] vfs: Test for and handle paths that are unreachable from their mnt_root Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 18/19] vfs: Handle mounts whose parents are unreachable from their mountpoint Eric W. Biederman
2015-04-03 1:56 ` [PATCH review 19/19] vfs: Do not allow escaping from bind mounts Eric W. Biederman
2015-04-03 6:20 ` Al Viro
[not found] ` <20150403062035.GF889-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-04-03 10:22 ` Eric W. Biederman
2015-04-08 23:31 ` [PATCH review 0/4] Loopback mount escape fixes Eric W. Biederman
[not found] ` <874moq9oyb.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-04-08 23:32 ` [PATCH review 1/4] mnt: Track which mounts use a dentry as root Eric W. Biederman
2015-04-08 23:32 ` [PATCH review 2/4] vfs: Test for and handle paths that are unreachable from their mnt_root Eric W. Biederman
[not found] ` <87sica8ac5.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-04-09 23:16 ` Al Viro
[not found] ` <20150409231636.GW889-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-04-10 2:24 ` Eric W. Biederman
2015-04-09 19:01 ` [PATCH review 0/4] Loopback mount escape fixes Eric W. Biederman
2015-04-09 19:12 ` Al Viro
2015-04-09 19:14 ` Eric W. Biederman
2015-08-03 21:25 ` [PATCH review 0/6] Bind " Eric W. Biederman
2015-08-03 21:26 ` [PATCH review 1/6] mnt: Track which mounts use a dentry as root Eric W. Biederman
2015-08-07 10:46 ` Nikolay Borisov
2015-08-07 15:43 ` Eric W. Biederman
[not found] ` <871tfkawu9.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-03 21:26 ` [PATCH review 2/6] dcache: Handle escaped paths in prepend_path Eric W. Biederman
2015-08-03 21:27 ` [PATCH review 3/6] dcache: Implement d_common_ancestor Eric W. Biederman
2015-08-05 3:14 ` [PATCH review 7/6] vfs: Make mnt_escape_count 64bit Eric W. Biederman
2015-08-03 21:27 ` [PATCH review 4/6] mnt: Track when a directory escapes a bind mount Eric W. Biederman
[not found] ` <87egjk9i61.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-10 4:36 ` Al Viro
[not found] ` <20150810043637.GC14139-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-08-10 4:43 ` Al Viro
2015-08-14 4:10 ` Eric W. Biederman
[not found] ` <877foymrwt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-14 4:29 ` [PATCH review 0/8] Bind mount escape fixes Eric W. Biederman
2015-08-14 4:30 ` [PATCH review 1/8] dcache: Handle escaped paths in prepend_path Eric W. Biederman
2015-08-14 4:30 ` [PATCH review 2/8] dcache: Reduce the scope of i_lock in d_splice_alias Eric W. Biederman
2015-08-14 4:31 ` [PATCH review 3/8] dcache: Clearly separate the two directory rename cases " Eric W. Biederman
[not found] ` <87fv3mjxsc.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-15 6:16 ` Al Viro
[not found] ` <20150815061617.GG14139-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-08-15 18:25 ` Eric W. Biederman
[not found] ` <874mk08l3g.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-15 18:35 ` [PATCH review 0/7] Bind mount escape fixes Eric W. Biederman
2015-08-15 18:36 ` [PATCH review 1/7] dcache: Handle escaped paths in prepend_path Eric W. Biederman
2015-08-15 18:36 ` [PATCH review 2/7] dcache: Reduce the scope of i_lock in d_splice_alias Eric W. Biederman
2015-08-15 18:37 ` [PATCH review 4/7] dcache: Implement d_common_ancestor Eric W. Biederman
[not found] ` <87a8ts763c.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-15 18:37 ` [PATCH review 3/7] mnt: Track which mounts use a dentry as root Eric W. Biederman
2015-08-15 18:38 ` [PATCH review 5/7] dcache: Only read d_flags once in d_is_dir Eric W. Biederman
2015-08-15 19:36 ` [PATCH review 0/7] Bind mount escape fixes Linus Torvalds
[not found] ` <CA+55aFzMuCn33yK71HoKnj1hr8=ac_Y-vfE5mM8h4f3YJeGKvg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-15 19:48 ` Linus Torvalds
[not found] ` <CA+55aFyeu-p_3eJQCLM0TDuLYvo10mx379FaCFq7Z103RgKvVA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-15 21:07 ` Eric W. Biederman
[not found] ` <E2AECA7F-ED57-4FCD-A4C0-8C7C4B860FB6-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-08-15 22:47 ` Linus Torvalds
[not found] ` <CA+55aFx2s7TrmPKviKnFL0nGRZDHuCajW_UO02EnF+CsJY2-4w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-16 0:59 ` Eric W. Biederman
[not found] ` <87bne82glg.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-16 1:27 ` [PATCH] vfs: Test for and handle paths that are unreachable from their mnt_root Eric W. Biederman
2015-08-17 3:56 ` NeilBrown
2015-08-16 2:12 ` [PATCH review 0/7] Bind mount escape fixes Al Viro
2015-08-16 2:25 ` Linus Torvalds
[not found] ` <CA+55aFy3pzEY=4dfd_PX-Og_b7fqrG1rDniOqehBfQhXb=Cg9A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-16 4:53 ` Al Viro
[not found] ` <20150816045322.GJ14139-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-08-16 6:22 ` Eric W. Biederman
2015-08-16 6:55 ` Al Viro
[not found] ` <20150816065503.GL14139-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-08-16 7:04 ` Al Viro
2015-08-16 11:33 ` Eric W. Biederman
[not found] ` <87bne7piwu.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-21 7:51 ` Al Viro
2015-08-21 15:27 ` Eric W. Biederman
2015-08-16 11:51 ` Eric W. Biederman
2015-08-16 22:29 ` Willy Tarreau
2015-08-15 18:39 ` [PATCH review 6/7] mnt: Track when a directory escapes a bind mount Eric W. Biederman
2015-08-15 18:39 ` [PATCH review 7/7] vfs: Test for and handle paths that are unreachable from their mnt_root Eric W. Biederman
[not found] ` <87wpwyjxwc.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-14 4:32 ` [PATCH review 4/8] mnt: Track which mounts use a dentry as root Eric W. Biederman
2015-08-14 4:33 ` [PATCH review 5/8] dcache: Implement d_common_ancestor Eric W. Biederman
2015-08-14 4:34 ` [PATCH review 6/8] dcache: Only read d_flags once is d_is_dir Eric W. Biederman
2015-08-14 4:35 ` [PATCH review 7/8] mnt: Track when a directory escapes a bind mount Eric W. Biederman
2015-08-14 4:36 ` [PATCH review 8/8] vfs: Test for and handle paths that are unreachable from their mnt_root Eric W. Biederman
2015-08-03 21:30 ` [PATCH review 5/6] " Eric W. Biederman
[not found] ` <878u9s9i1d.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-10 4:38 ` Al Viro
[not found] ` <20150810043814.GD14139-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-08-10 19:34 ` Eric W. Biederman
2015-08-03 21:30 ` [PATCH review 6/6] vfs: Cache the results of path_connected Eric W. Biederman
2015-08-04 11:52 ` Andrew Vagin
[not found] ` <20150804115215.GA317-wo1vFcy6AUs@public.gmane.org>
2015-08-04 17:41 ` Eric W. Biederman
2015-08-04 19:44 ` J. Bruce Fields
2015-08-04 22:58 ` Eric W. Biederman
[not found] ` <874mkey824.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-05 15:59 ` J. Bruce Fields
[not found] ` <20150805155948.GD17797-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-08-05 16:28 ` Eric W. Biederman
[not found] ` <878u9pwvg8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-08-28 19:43 ` J. Bruce Fields
2015-08-28 19:45 ` J. Bruce Fields
[not found] ` <20150828194540.GF10468-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-08-31 21:17 ` Eric W. Biederman
[not found] ` <87k2sb88ev.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-09-01 14:46 ` J. Bruce Fields
2015-09-01 18:00 ` Eric W. Biederman
2015-09-01 18:11 ` J. Bruce Fields
2015-04-08 23:33 ` [PATCH review 3/4] vfs: Handle mounts whose parents are unreachable from their mountpoint Eric W. Biederman
2015-04-08 23:34 ` [PATCH review 4/4] vfs: Do not allow escaping from bind mounts Eric W. Biederman
2015-04-09 13:06 ` Jann Horn
[not found] ` <20150409130601.GA22250-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2015-04-09 16:52 ` Eric W. Biederman
2015-04-09 23:22 ` Al Viro
2015-04-10 2:51 ` Eric W. Biederman
2015-04-10 3:14 ` Al Viro [this message]
2015-04-13 12:18 ` [PATCH review 0/4] Loopback mount escape fixes Miklos Szeredi
2015-07-24 20:39 ` Eric W. Biederman
2015-04-16 23:40 ` [GIT PULL] Usernamespace related locked mount fixes Eric W. Biederman
2015-04-16 23:42 ` Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 2/9] mnt: Don't propagate umounts in __detach_mounts Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 3/9] mnt: In umount_tree reuse mnt_list instead of mnt_hash Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 4/9] mnt: Add MNT_UMOUNT flag Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 5/9] mnt: Delay removal from the mount hash Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 6/9] mnt: Factor out __detach_mnt from detach_mnt Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 7/9] mnt: Simplify umount_tree Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 8/9] mnt: Remove redundant NULL tests in namespace_unlock Eric W. Biederman
2015-01-02 21:52 ` [PATCH review 9/9] mnt: Honor MNT_LOCKED when detaching mounts Eric W. Biederman
[not found] ` <1420235574-15177-9-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-01-03 2:27 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150410031457.GD889@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=avagin@openvz.org \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jann@thejh.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=osandov@osandov.com \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).